### /etc/squid/squid.conf Configuration File #### ### cache manager cache_mgr luke.mundy@computercare.com.au ### negotiate kerberos and ntlm authentication auth_param negotiate program /usr/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/bin/squid_kerb_auth -d -s GSS_C_NO_NAME #auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -i auth_param negotiate children 10 auth_param negotiate keep_alive off ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=test,dc=local" -D squid@test.local -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h server08.test.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=test,dc=local" -D squid@test.local -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Security Groups,ou=Test Environment,dc=test,dc=local))" -h server08.test.local ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED # aclname acltype typename activedirectorygroup acl BlockedAccess external memberof "/etc/squid/blocked_access.txt" acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt" acl StandardAccess external memberof "/etc/squid/standard_access.txt" acl ExceptionAccess external memberof "/etc/squid/exception_access.txt" acl FullAccess external memberof "/etc/squid/full_access.txt" acl AnonymousAccess external memberof "/etc/squid/anonymous_access.txt" acl allowedsites dstdomain "/etc/squid/allowedsites.txt" acl blockedsites dstdomain "/etc/squid/blockedsites.txt" acl exceptedsites dstdomain "/etc/squid/exceptedsites.txt" acl prioritysites dstdomain "/etc/squid/prioritysites.txt" ### squid defaults #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost ### http_access rules # allow unrestricted access to prioritysites http_access allow prioritysites # enforce authentication, order of rules is important for authorization levels http_access deny !auth # prevent access to basic auth prompt for BlockedAccess users http_access deny BlockedAccess all http_access allow allowedsites http_access deny RestrictedAccess all http_access allow AnonymousAccess auth http_access allow FullAccess auth http_access allow ExceptionAccess exceptedsites auth http_access deny blockedsites http_access allow StandardAccess auth # DO NOT REMOVE THE FOLLOWING LINE http_access deny all ### logging # don't log allowedsites, prioritysites, AnonymousAccess access_log /var/log/squid/access.log squid !allowedsites !prioritysites !AnonymousAccess ### squid Debian defaults http_port 3128 hierarchy_stoplist cgi-bin ? #coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320